none
Receive Connector Allow Relay for specific domain

    Question

  • Hi,

    Is there a way to allow relay on a receive connector but filter the allowed sender addresses using their domain?

    Monday, April 3, 2017 6:51 AM

Answers

  • To answer your concern, I'm reasonably sure you can create a transport rule that will block or do something else to a message from a particular domain and from a particular IP address.

    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!

    Wednesday, April 5, 2017 11:45 PM
    Moderator

All replies

  • There is no filter for a sender domain on a receive connector.  Besides, that's pretty sure way to allow spam to be routed through your servers because the sender domain is commonly spoofed.  If you know the sender's IP addresses, you could create a receive connector based on those IP addresses and allow it to relay.

    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!

    • Proposed as answer by vbhadauria Tuesday, April 4, 2017 6:05 AM
    Monday, April 3, 2017 6:28 PM
    Moderator
  • Hi Ed,

    Thank you for your answer. Although one may restrict the relay using the sender's IP address, this may not be sufficient for all scenarios.

    Take for example an Exchange organization that hosts email for two separate companies/domains. If relay is allowed for a system (using a dedicated receive connector and the IP of the system) that system will be able to relay a message as it was sent by the other company.

    Monday, April 3, 2017 6:43 PM
  • Why wouldn't restricting by IP address be ideal for the situation you propose?  You know who the company is and you should be able to fix the IP address being used to send to you.

    Another option is to have them send use port 587 and authenticating to an account you provide them.

    But the first option is better.


    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!

    Monday, April 3, 2017 7:05 PM
    Moderator
  • Hi,

    Let me provide an example. Let's say that we have an Exchange organization called E that is being run by the company E. We also have two other companies called A (companyA.com) and B (companyB.com).

    We have created a receive connector for each company and configured the IPs of the hosts that have to be able to relay messages.

    Correct me if I'm wrong but a system from company A is able to relay a message that the sender email address belongs to the company B domain.


    Tuesday, April 4, 2017 11:41 AM
  • I don't understand what you're asking.

    Please understand that "relay" means accepting and routing a message with an e-mail address outside your organization.

    By "configured the IPs of the hosts" I presume you mean put those IP addresses in the RemoteIPRanges property of the relay connector.  Only one connector is required for all hosts allowed to relay.  By the way, this will work only if the source IP address is preserved in the packets sent to the Exchange server.

    To do this properly Company A's IP address should be for its Exchange server only, not their generic egress IP address.  Alternatively Company A should configure its firewall to restrict outbound SMTP to only hosts authorized to send SMTP.


    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!

    Wednesday, April 5, 2017 5:45 AM
    Moderator
  • Hi,

    I'm sorry for the misunderstanding, the choice of "relay" was not correct. Allow me to form the question another way.

    We have an Exchange Organization that hosts two domains, companyA.com and companyB.com for two separate companies. We have a receive connector dedicated for these companies with the IPs of the companies' Exchange servers on the RemoteIPRanges of the receive connector.

    What prevents the Exchange server admin on companyA from using the old exchange server to send a message using as sender address the address of a recipient in the companyB domain?

    Wednesday, April 5, 2017 5:36 PM
  • If you host mail for those two companies, why do you need receive connectors for their servers since they're in your organization?  I am totally lost.  Do the two companies also have their own Exchange servers?


    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!

    Wednesday, April 5, 2017 7:03 PM
    Moderator
  • The companies have not decommissioned their Exchange infrastructure since there are a lot of applications that have to be updated in order to use the new environment.
    Wednesday, April 5, 2017 7:08 PM
  • To answer your concern, I'm reasonably sure you can create a transport rule that will block or do something else to a message from a particular domain and from a particular IP address.

    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!

    Wednesday, April 5, 2017 11:45 PM
    Moderator
  • Thank you for your help Ed, I really appreciate it!
    Thursday, April 6, 2017 6:08 AM
  • Hi Chirs,

    If the above suggestion are helpful to you, please mark it as answer so that someone who has similar issue could find this thread as soon as possible.


    Best Regards,
    Jim Xu
    TechNet Community Support


    Please remember to mark the replies as answers if they helped.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, April 6, 2017 8:27 AM
    Moderator
  • You're welcome.  Happy to have helped.


    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!

    Friday, April 7, 2017 2:48 AM
    Moderator